| Mise en place d’un certificat Let’s Encrypt pour Zimbra 8.8.9 |
| Article original Publié le : 11 août 2018
Mise a jour le : 30 novembre 2019 |
Suite a la mise a jour de mon serveur et au renouvellement du certificat, je mets a jour la procédure moins confuse que la précédente.
/!\ Petit rappel, pour générer un certificat avec Let’s Encrypt, il faut que le port 443 soit ouvert et non utilisé.
Se connecter en user zimbra puis stopper le service proxy
# su - zimbra
$ zmproxyctl stop
Revenir sur son user ou root puis générer le certificat
# ./opt/letsencrypt/letsencrypt-auto certonly --standalone -d nom_du_serveur_mail
Pour validation, cela renverra
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/nom_du_serveur_mail/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/nom_du_serveur_mail/privkey.pem Your cert will expire on 2018-11-09. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Créer le root-ca
# vim /tmp/root-ca.pem
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
Copier les fichiers générés par Let’s Encrypt dans /tmp, puis créer la chaîne de certification.
# cp /etc/letsencrypt/live/nom_du_serveur_mail/* /tmp
# cd /tmp
# cat chain.pem root-ca.pem > chain-root-ca.pem
Sauvegarder le précédent certificat, renommer les fichiers,copier le nouveau certificat et mettre les droits.
# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
# mv cert.pem commercial.crt
# mv chain-root-ca.pem chain.txt
# cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
# chown zimbra.zimbra /tmp/*.crt
# chmod 666 /tmp/*.crt
Puis se reconnecter avec le user Zimbra et finaliser le déploiement du certificat et redémarrer les services.
$ su - zimbra
$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt
$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt
$ zmcontrol restart
Pour vérifier le certificat
# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
SubjectAltName=nom_du_serveur_mail - imapd: /opt/zimbra/conf/imapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=nom_du_serveur_mail - ldap: /opt/zimbra/conf/slapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=nom_du_serveur_mail - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=nom_du_serveur_mail - mta: /opt/zimbra/conf/smtpd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=nom_du_serveur_mail - proxy: /opt/zimbra/conf/nginx.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
22/06/2019 : Ajout d’un petit script qui regroupe toute les commandes.
Pré-requis: Avoir le root-ca en local et verifier le chemin du repertoire let’s encrypt.
# ./renew_cert_zimbra.sh
#!/bin/bash su zimbra /opt/zimbra/bin/zmproxyctl stop /opt/letsencrypt/certbot-auto certonly cp /root/root-ca.pem /tmp cp /etc/letsencrypt/live/server-mail.domaine.tld/* /tmp cd /tmp cat chain.pem root-ca.pem > chain-root-ca.pem cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") mv cert.pem commercial.crt mv chain-root-ca.pem chain.txt cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key chown zimbra.zimbra /tmp/*.crt chmod 666 /tmp/*.crt su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt" su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt" su - zimbra -c "/opt/zimbra/bin/zmcontrol restart" su - zimbra -c "/opt/zimbra/bin/zmcertmgr viewdeployedcrt" echo "" echo "Verification de la date du certificat" echo "" echo | openssl s_client -servername server-mail.domaine.tld -connect server-mail.domaine.tld:443 2>/dev/null | openssl x509 -noout -dates
A l’execution:
Stopping proxy...done.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/server-mail.domaine.tld.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/server-mail.domaine.tld/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/server-mail.domaine.tld/privkey.pem
Your cert will expire on 2019-09-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt'
Valid certificate chain: /tmp/commercial.crt: OK
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt'
Valid certificate chain: /tmp/commercial.crt: OK
** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer server-mail.domaine.tld...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer server-mail.domaine.tld...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/c1d601f8.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'c1d601f8.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Host server-mail.domaine.tld
Stopping zmconfigd...Done.
Stopping imapd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.
Host server-mail.domaine.tld
Starting ldap...Done.
Starting zmconfigd...Done.
Starting dnscache...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting proxy...Done.
Starting amavis...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting opendkim...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Done.
Starting zimbra webapp...Done.
Starting zimbraAdmin webapp...Done.
Starting zimlet webapp...Done.
Starting imapd...Done.
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
Verification de la date du certificat
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
30/11/2019 : Suite au renouvellement du certificat est apparu une nouvelle option, il faut choisir standalone et entrer le fqdn complet.
Bonjour,
j’ai réussi à émettre mon certificat en copiant le root-ca que tu donnes dans ton article. Mais je voudrais savoir à quelle url tu récupères le ceretificat, celui que tu présentes n’allant qu’au 30 septembre 2021 :
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
notBefore=Sep 30 21:12:19 2000 GMT
notAfter=Sep 30 14:01:15 2021 GMT
On pourrait ainsi inclure dans le script le téléchargement du certificat ayant cours au moment du renouvellement.
Bonjour,
J’avais récupéré la root-ca chez Symantec qui a été racheté par Digicert cette année
l’url https://knowledge.digicert.com/solution/SO20541 qui renvoi vers le lien de la root-ca ne fonctionne pas
Download the Root CA certificate. Save Root CA certificate file (e.g. /tmp/ca.crt)
Oops, there is a problem The page you requested cannot be found. Search by entering one or more keywords in the search field above
Va falloir attendre qu’il mette a jour leur page :/